Isolate (separate subnets) DHCP dynamic clients from MAC reservation clients

Hi,

I'm running openwrt on a x86 miniPC, it only has 2 ethernet ports (lan and wan). I have a R7000 running stock netgear firmware being used in AP mode. Everthing is connected with a non managed switch.

So my goal is to have clients with a dhcp reservation on a different subnet than those with a dynamic dhcp address.

I got it working with this guide: Create 2 separated networks on LAN interface

• Create an alias guest interface for the LAN interface.
• Create a guest DHCP pool for the guest interface.
• Disable dynamic DHCP for the LAN pool.
• Configure static leases for all the LAN pool clients.
• Create a guest firewall zone for the guest interface.
• Limit the LAN and guest firewall zones to their specific subnets.

but the problem is, any dynamic dhcp client can just manually change their IP address on their device and they are connected to the protected subnet.

Is it possible without VLAN?

No...

Traffic between clients is handled by the external switch, and it does not even reach the router. And there is nothing you can do to prevent the situation you described.

Have a look to IEEE 802.1X, but I would rethink about VLANs before going there.

Thanks, my issue with the vlan is I only have the 2 ports on the mini pc (wan/lan). I'm kind of a newb but as i understand it, I would need an extra port or maybe a switch that has vlan support.

The client-to-client traffic through the unmanaged switch doesn't reach the router.
Although you can filter traffic to and through the router itself by IP and MAC.
But if we consider IP spoofing possible, then MAC spoofing is also possible.
So, reliable isolation requires separate managed ports or extra authentication.

How are the router, the switch and the access point connected?
How many wired and wireless devices do you own, for each network?
Could you plug all your wired devices to the access point?

@eduperez here is the simple network diagram. The AP is in the middle of the hosue, it has 2 wires running to the switch through the attic from the old setup (when it was used as router and AP). We probably have around 10-15 wired devices and maybe 6 wireless.

Unfortunatly due to the location of the AP, I cannot plug all devices into the AP.

@vgaetera I would think mac spoofing would be more difficult than IP spoofing, but maybe not. Maybe i just need to change the internal network IP to something that would be harder to guess.

network-diagram961×389 19.6 KB

I do not think you can do what you need, without a managed switch.

Are the DHCP clients only on wifi? If they are only on wifi you can just turn the R7000 in a router again and connect its wan port to the switch.

If you have DHCP clients on both wifi and ethernet you need a "managed switch" or a "smart switch" so you can separate them.

Or add more ethernet ports to the OpenWrt pc (add a network card? I don't know how easy it is to add cards to that PC) and buy another unmanaged switch so you can keep the other subnet on a different switch.

MAC spoofing is very easy even for Windows devices https://sguru.org/spoof-mac-address-windows-10/
It is barely good enough to control young kids internet access (parental controls).

@bobafetthotmail I will have both dhcp and static reservation clients on the wifi.

Thanks for all the info guys. You are right, i will look for a managed switch or probably easier just get an openwrt compatible router to replace the R7000.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.